--- /dev/null Thu Jan 01 00:00:00 1970 +0000
+++ b/components/apache24/patches/httpoxy.patch Wed Jul 27 05:05:45 2016 -0700
@@ -0,0 +1,39 @@
+https://www.apache.org/security/asf-httpoxy-response.txt
+http://svn.apache.org/viewvc?view=revision&revision=1753228
+http://svn.apache.org/viewvc?view=revision&revision=1753229
+
+--- docs/conf/httpd.conf.in 2016/07/18 14:00:30 1753227
++++ docs/conf/httpd.conf.in 2016/07/18 14:07:00 1753228
+@@ -283,6 +283,15 @@
+ Require all granted
+ </Directory>
+
++<IfModule headers_module>
++ #
++ # Avoid passing HTTP_PROXY environment to CGI's on this or any proxied
++ # backend servers which have lingering "httpoxy" defects.
++ # 'Proxy' request header is undefined by the IETF, not listed by IANA
++ #
++ RequestHeader unset Proxy early
++</IfModule>
++
+ <IfModule mime_module>
+ #
+ # TypesConfig points to the file containing the list of mappings from
+--- server/util_script.c 2016/07/18 14:00:30 1753227
++++ server/util_script.c 2016/07/18 14:07:00 1753228
+@@ -186,6 +186,14 @@
+ else if (!strcasecmp(hdrs[i].key, "Content-length")) {
+ apr_table_addn(e, "CONTENT_LENGTH", hdrs[i].val);
+ }
++ /* HTTP_PROXY collides with a popular envvar used to configure
++ * proxies, don't let clients set/override it. But, if you must...
++ */
++#ifndef SECURITY_HOLE_PASS_PROXY
++ else if (!ap_cstr_casecmp(hdrs[i].key, "Proxy")) {
++ ;
++ }
++#endif
+ /*
+ * You really don't want to disable this check, since it leaves you
+ * wide open to CGIs stealing passwords and people viewing them